How a Single Checksum Collapsed EDR Integrity

Prof. Woo stated, “We hope this research becomes the starting point for advancing automotive cybersecurity and modernizing crash-investigation practices. By properly combining existing technologies such as HSMs, secure storage, and digital-forensic methods, the EDR can become a far more trustworthy device than it is today.”

The Event Data Recorder (EDR) has long been treated as the “black box” of vehicle crashes. But researchers at Dankook University have experimentally demonstrated that it is, in fact, a storage device that can be tampered with. Through repeated crash experiments using an Airbag Control Unit (ACU) and an in-house Vehicle-in-the-Loop Simulation (VILS) system, they confirmed that key accident-scenario parameters - such as brake status, speed, and pressure values - can be rewritten arbitrarily. The study reveals that today’s checksum-based integrity verification is fundamentally incapable of protecting EDR data, raising the urgent need for a new integrity-assurance mechanism built on Hardware Security Modules (HSMs).

By Sang Min Han, Editor_han@autoelectronics.co.kr
한글로보기







A research team led by Prof. Samuel Woo of Dankook University’s Intelligent Transportation System Security Lab repeatedly reconstructed identical crash conditions dozens of times using an ACU and a self-built VILS setup. They extracted and analyzed the resulting EDR binaries - and in the process, they reproduced a full hacking method capable of rewriting accident scenarios composed of brake, speed, and pressure values.
Crucially, they verified that the storage format and integrity-checking logic known to manufacturers are insufficient for protecting EDR data. The long-held belief that “EDR data is encrypted and therefore safe” has collapsed completely.
While acknowledging the importance of EDRs in crash investigation, the team argues that the current architecture - dependent on simplistic checksum-level integrity checks - cannot sustain consumer trust. They recommend that manufacturers combine established cybersecurity technologies such as HSMs with digital-forensic principles to elevate EDR reliability. The team also developed an “EDR Imager” and is calling for a comprehensive redesign of major-accident investigation workflows.
In November, Auto Electronics Magazine met with Prof. Woo’s team.



EDR, the Emerging Standard of Crash Investigation

EDR stands for Event Data Recorder, a device that records crucial vehicle state information during the roughly five seconds before and after a crash. It stores parameters such as vehicle speed, engine RPM, brake or accelerator pedal engagement, and pedal-pressure values. This allows investigators to understand the vehicle’s behavior immediately before and after impact with a high degree of clarity. The EDR is typically integrated into the Airbag Control Unit (ACU), the component best equipped to detect crash events with precision.
Modern vehicles contain dozens, sometimes hundreds, of ECUs that continuously generate digital data. The era of depending solely on dashcams or CCTV footage to infer crash scenarios has passed. Today, vehicles produce precise sensor data internally, enabling far more scientific interpretation of crash dynamics. ECUs continually broadcast their state - such as speed or RPM - during normal driving, and upon detecting a crash event, a specific portion of this data stream is cut and saved. This becomes the EDR dataset.
With this technological shift, EDRs were mandated starting in 2015, and vehicles released after that point generally include an ACU equipped with EDR functionality. The system has become the de facto global standard tool for automotive crash investigations.



370 Crashes and One Question:
“Why Couldn’t 16% Even Be Investigated?”

Interestingly, the research team did not initially set out to “hack” the EDR.
Their work began in 2020 when they collaborated with the Supreme Prosecutors’ Office of Korea on automotive digital-forensics research, focusing primarily on navigation-system forensics. After this project received strong evaluations from investigators, the team was assigned a new government-funded project (2022 - 2024) by the Ministry of Science and ICT titled “Development of Techniques for Collecting and Integrating In-Vehicle and External Architectures Through Event-Based Experimental Systems.”

“The starting point was real-world crash-investigation statistics. According to the National Forensic Service (NFS), an analysis of roughly 370 crash cases between 2020 and 2024 revealed that in 54 cases - about 16% - the investigation could not proceed because the EDR was missing or too damaged,” Prof. Woo explained.

Cases involving vehicles without EDR functionality (pre-2015 models) were expected. But alarmingly, a significant number of vehicles with EDRs could not be investigated.
The most common reason was fire.
In severe collisions where the vehicle caught fire, the entire ACU was often destroyed, preventing the NFS or police from extracting any data. This fact was already widely acknowledged in the industry.
But upon opening real fire-damaged ACUs themselves, the research team discovered something surprising:
Even when the outer housing and parts of the PCB were burnt, the storage medium containing the EDR data often remained physically intact.
This indicated that if the surviving memory chip could be properly recovered, the EDR data could be reconstructed into a valid forensic report - even for fire-damaged vehicles. This discovery rapidly reshaped the focus of their research project.

 

---

National Forensic Service, On-Site Investigations, and the Tools Developed by the Dankook University Team
The National Forensic Service (NFS) and the Korean National Police Agency have long applied digital-forensic techniques to crash investigations. However, due to equipment and procedural limitations in real-world field environments, highly rigorous forensic analysis is not performed in every case. According to Prof. Woo, if investigators can obtain an EDR report by connecting a standard reader to the vehicle’s OBD-II port, they typically proceed with the crash investigation based on that report. If the vehicle is severely damaged, they remove the ACU and connect it directly to the reader. But when the ACU is destroyed - such as in fire incidents - investigations are often halted because data can no longer be retrieved. The tools developed by the Dankook University research team aim to address precisely this gap. The team created a bridge device (also known as a Chip Swap tool) that links a fully damaged EDR to a functioning EDR, with the forensic reader positioned between the two, allowing investigators to extract data through a bypass pathway even when normal interfaces are destroyed.

 

---

Reconstructing the Accident:
The VILS (Vehicle-in-the-Loop Simulation) Crash Lab

To validate this possibility, the team built a dedicated VILS crash-simulation environment on the first floor of their research building.
The setup used a real vehicle but interfaced with GPS-spoofing and various measurement devices to make the vehicle “believe” it was driving on an actual road - such as the streets of Sangam-dong. When a head-on or side-impact collision was triggered in the simulator, the physical vehicle reproduced the same crash scenario. For safety, the real airbag was removed and replaced with a warning light that visually indicated an airbag-deployment event. The eCall system was also synchronized to behave exactly as it would in a real accident.
This environment allowed the entire sequence - EDR data generation → extraction → restoration → verification - to be repeated dozens of times under identical conditions. It was optimized to analyze and validate EDR behavior under various crash, braking, acceleration, and steering scenarios.

Prof. Woo explained:
“In 2017 - 2018, the NFS tested EDR reliability by physically crashing vehicles into concrete walls. But since each vehicle can be crashed only once, such tests cannot support true repeatability. To understand how EDR data is stored internally, you need dozens of recordings under the same conditions - something impossible if you destroy the vehicle every time.”

Each ACU used in the experiments cost around KRW 250,000. By replacing only the ACU each time, the team recreated approximately 40 - 50 crashes, spending nearly KRW 10 million solely on modules. With this repetition, they established validated procedures and tools for safely extracting binaries from EDR memory and feeding them into a decoder to produce proper EDR reports.
The achievement represents not merely technological progress but a meaningful leap in Korea’s crash-forensic capabilities. The project was selected as an outstanding government-funded research outcome by the IITP (Institute for Information & Communications Technology Planning & Evaluation) in 2024.



Decoding 20 Bytes Inside an EEPROM:
Unraveling the Hidden Structure of EDR Data

During the recovery research, the Dankook University team discovered cases in which EDRs had been “reset” and reused - meaning the stored crash data had been intentionally erased prior to reinstallation. This raised a deeper question: structurally speaking, is EDR data truly an immutable record?
To answer this, the team expanded their research to include decoding and tampering analysis.
The first step in EDR decoding and manipulation is to determine where, in what format, and under what rules the crash data is stored. The team began with a thorough hardware-level analysis of the ACU’s PCB. After dismantling the board, they found five to six chips presumed to be memory devices (likely EEPROM). They removed the conformal coating from each and traced them one by one, eventually identifying the specific chip used for EDR storage.
When the memory contents were extracted before a crash event, the relevant region appeared filled entirely with FF bytes. But after inducing a crash under identical conditions and reading the memory again, distinct changes appeared in specific sections. From these patterns, the team confirmed that this region was where the actual accident record was stored.
Most EDRs use EEPROM or flash memory as their storage medium. Industry data suggests that roughly 60% of vehicles use EEPROM-based storage, and the model used in the study was also EEPROM-equipped. EEPROMs are accessible enough that, using digital-forensic tools such as the widely adopted BeeProg programmer, they can be treated almost like USB drives.
However, accessing the memory and understanding the data stored inside it are very different challenges.
A major obstacle was that each manufacturer - and even each vehicle model - stores data differently. Vehicle ECUs transmit messages in “ID + Data” structure. For example, if the ECU with ID 0x0141 is an engine controller, it may broadcast something like “I am the engine controller, and my current speed is 9” every 10 ms. The “9” is just a raw hexadecimal value. To convert this to actual vehicle speed, you must apply a scaling formula defined internally by the manufacturer.
Some ACUs store each moment’s full message as-is. Others store only the data portion without ID, because the manufacturer already knows the decoding rules and sees no need to save the ID. Some vehicles save only partial segments of the data and discard the rest.
In other words, without access to the storage rules and decoding specifications, the EDR is essentially a “black puzzle.” This complexity has long been cited by experts as the reason why “EDR hacking is practically impossible.”







Solving the Puzzle Through Repetition:
20-Byte Event Blocks and 11 Rows of Crash Data

The research team tackled this challenge using the highly repeatable VILS crash setup.
They began with the brake system. First, they induced a crash while the brake pedal was pressed. Then they repeated the crash with the brake pedal untouched. They noticed that in cases without braking, a particular data region appeared as 01 01 01, while with braking it consistently changed to 02 02 02.
Building on this pattern, they combined brake on/off, accelerator on/off, steering inputs, and fixed-speed scenarios, collecting large volumes of EDR data under varied conditions. When exported as EDR reports, these datasets show speed, braking, engine torque, throttle position, and more - logged every 500 ms from -5 seconds to the crash moment.
By cross-referencing these report tables with raw memory dumps, the team mapped what each row and column corresponded to in the EDR binary.

Prof. Woo explained:
“As a result, we found that in our test vehicle, EDR data was structured in 20-byte event blocks. From -5 seconds to impact, 11 rows appear at 500 ms intervals, and we confirmed that the EEPROM indeed contained 11 blocks, each exactly 20 bytes. This established the fundamental rule that each row equals 20 bytes. From there, we could pinpoint where specific values - such as two bytes for master cylinder pressure or four bytes for vehicle speed - were located within the 20-byte frame.”



The Plot Twist:
Integrity Crumbles Under a Single Checksum
Rewriting Brake, Speed, and Pressure Values

However, “interpreting data” and “successfully hacking data” are two entirely different tasks.
Once the storage schema was decoded, a larger question emerged:
Is EDR data truly unalterable evidence?
The team proceeded with a full-scale hacking experiment to test whether EDR data could actually be manipulated.
Their initial assumption was based on the standard digital-forensics method of chip-off. They used hot air to detach the memory chip from the PCB, mounted it on a BeeProg-compatible adapter, extracted its binary contents like a USB drive, and examined it as raw hex data.
While effective for analysis, chip-off left visible solder marks and physical damage - unsuitable for simulating realistic malicious attacks.

Prof. Woo stated:
“Our goal was to verify whether the data could be manipulated without leaving any physical traces on the board. So chip-off alone couldn’t be considered a valid hacking scenario.”

To overcome this, the team modified portions of the BeeProg system and created a non-invasive tapping tool that makes micro-level contact with the memory pins while the chip remains soldered to the board. This allowed binary reading and writing without leaving physical evidence - far closer to a real-world attack.
Once the team combined the binary data with the decoded transformation formulas, they achieved a complete bit-level mapping between memory values and real-world vehicle behavior.
Now only one question remained:
Can EDR data actually be altered?
Experiment 1 -  Manipulating a Single Brake Event
The first manipulation involved a single event where the brake was originally OFF.
They changed the brake value from 01 (off) to 02 (on) and regenerated the report.
The result:
The entire report broke into “invalid data.”
This indicated that the system had some internal integrity-checking mechanism.
So the team reset their hypothesis and began reverse-engineering the integrity-check logic.
The Shocking Conclusion -  It Was Just a Simple Checksum
True cryptographic integrity requires cryptographic keys, which must be securely stored using an HSM. Companies like Infineon and Escrypt have promoted HSM-based secure storage since the early 2010s. But due to cost constraints, HSM usage in ACUs is extremely rare. The ACU used in the study also lacked an HSM.
Meaning:
The so-called “cryptographic protection” touted by some manufacturers was not cryptography at all.
The research team validated multiple traditional integrity schemes - CIC (Count of Identical Characters), Hamming distance, and others. None matched.
The actual integrity mechanism, once discovered, was shockingly simple:
The system merely summed the entire hex dataset and used that total as the integrity value.

Prof. Woo explained:
“We leveraged this logic to modify a brake-off crash into a brake-on crash. The manipulated data passed integrity checks and produced a completely normal report.”
Experiment 2 -  Rewriting the Entire Pre-Crash Scenario
After successfully manipulating one event, the team escalated their experiment.
In the original data, the driver had not touched the brake until 1.5 seconds before impact.
The researchers reconstructed the data so the driver appeared to be braking continuously from -1.5 seconds onward.
This required more than simply flipping brake bits:

- braking must raise master cylinder pressure
- originally zero pressure values were replaced with realistic braking-pressure patterns
- speed, RPM, and other high-magnitude fields were subtly adjusted to maintain the correct hex-sum integrity

The team demonstrated that a full accident scenario - brake, speed, pressure, and correlated values - could be rewritten, and the system would still declare the tampered data “valid.”
This confirmed that an EDR protected only by a checksum is vulnerable to complete scenario fabrication.


 

---

Chip-Off as the Last Resort
Prof. Woo takes a cautious stance regarding chip-off techniques. Even within digital forensics, chip-off is considered the last resort.
Applying high heat to detach a memory chip can cause bit flips (where bits unexpectedly change from 0 → 1 or 1 → 0), potentially corrupting the original data. Because of this risk, investigative agencies often hesitate to use chip-off unless absolutely necessary. The EDR Imager and Chip Swap tools developed by the Dankook University team were created specifically to mitigate these field-level concerns.
Prof. Woo explained, “When using the imager, you can seal the binary exactly as it was at the moment of extraction and conduct all analysis on the sealed copy. We are not trying to overturn existing investigative practices; rather, we are proposing a more systematic application of the fundamental principles of digital forensics to established investigative workflows.”
 

---

What’s More Dangerous Than Hackers?
The Structure Itself
Rebuilding Trust and Redesigning Crash-Investigation Processes

The significance of this research does not lie merely in demonstrating that “an EDR can be hacked.”
The team emphasizes a far more urgent point: the cybersecurity posture of modern vehicles is insufficient.
Although the team reconstructed the storage structure through repeated experiments and reverse-engineered the integrity-check routine, anyone with a strong understanding of automotive systems could manipulate the data even more easily - because they would already have deep knowledge of message formats, bit structures, and integrity-calculation rules.

Prof. Woo explained:
“What we want to highlight is that the conventional claim ‘EDR data cannot be manipulated’ - can no longer be trusted. What makes the problem even worse is the reality of today’s investigative procedures.”

To address these issues, the research team recommends that manufacturers adopt stronger cybersecurity mechanisms and that crash-investigation procedures be redesigned in accordance with standard digital-forensic principles.
If a vehicle is equipped with an HSM (Hardware Security Module) and uses modern cryptographic techniques to generate and verify integrity values, the type of hacking demonstrated in this study becomes practically impossible. An HSM securely stores cryptographic keys and performs encryption, decryption, signing, and integrity-verification operations entirely within the chip. Keys never leave the chip, and even if the entire memory contents are cloned, without valid keys, an attacker cannot recreate a matching integrity value.
As a transitional measure - until cryptographic protection becomes standard - the team also recommends strengthening digital-forensic practices at crash scenes to ensure original evidence is preserved without alteration. They propose using forensic-grade equipment that minimizes the risk of data corruption or modification, elevating the handling of EDR data to the same level as hard-disk or mobile-device forensics.
More specifically, they propose:
recording every step of the investigation from the moment it begins
extracting the EDR binary as early as possible
immediately generating and sealing a cryptographic integrity value upon extraction
using only sealed forensic images - not the original - for all subsequent analysis
This essentially introduces the digital-forensics concept of an “imager” into crash-scene investigations for EDR.
The research team has already developed an EDR Imager, a device that seals integrity at the moment data is extracted at the crash site, enabling investigators to detect any form of tampering thereafter. Using this device, the team is preparing formal proposals for how EDR data should be handled in major-accident investigations in Korea.

Prof. Woo concluded:
“We hope this research becomes the starting point for raising the level of automotive cybersecurity and crash-investigation practices. By combining proven technologies such as HSMs, secure storage, and digital-forensic methodology, the EDR can become a far more trustworthy device than it is today.”




Researchers of the Intelligent Transportation System Security Lab
Ham Dongchan, Yoo Suyeon, and Kim Sunghyun, researchers at the Intelligent Transportation System Security Lab.

AEM(오토모티브일렉트로닉스매거진)

---